Incident Response and Intrusion management has a lot to do with Information. As far as cyber security is concerned its about LOGS.
What strategy would utilize in terms Logs. Log Everything, Selectively Log, or something else. Please provide your views on this important topic!
Shain R. Amzovski says
SANS has a six-step process that must be follow for Incident Response and Intrusion Management. These six-steps include preparation, identification, containment, eradication, recovery, and lastly, follow-up. Logs can be defined as records related to activities that occurred on an information system. If your organization has the resources and storage, I would suggest logging everything. Yes, logging everything will increase the amount of data to sift through in the event of a breach to determine where, what, and how a breach occurred. By logging everything, this guarantees that if an intrusion occurred, it will most likely be found somewhere. Logs can come from several different areas of an organization. For example, logs can be pulled from firewalls, IPS, routers, IDS, servers, desktops, applications, databases, and VPNs. There are also several different types of logs that need to be analyzed. These logs include Audit logs, Transaction logs, intrusion logs, connection logs, system performance logs, User activity logs, etc. The reasons why organizations should log everything is because it allows organizations to be aware and discover new threats and eradicate them before they become a problem. Also, logs allow organizations to get metrics, and trends. For example, analyzing the logs from an IPS will show IT security anomalies. Logging is also necessary for federal regulations and guidelines. Lastly, logging in important for incident response. Logging is definitely one of the most important things for an organization to do when it comes to incident response. Logs can be used in the 6-step SANS process for Incident Response.
Vaibhav Shukla says
Yeah very well mentioned about logging that it is also necessary for federal regulations and guidelines..The NIST 800-53 document about controls actually necessarily mentions about logging as mandatory control for organizations building their security program .Logging should be followed by active monitoring as without monitoring the incidents and flaws will remain undetected
Julien Rossow-Greenberg says
Logging is a critical component of cyber security for any organization. Deciding what to log and how to maintain the integrity of the logs themselves are two crucial decisions any organization has to make. When it comes to determining what to log, in a perfect world the organization would log everything. However, due to storage restraints and costs, this is sometimes not feasible. If an organization is in this boat they should determine what to log by prioritizing the controls which are protecting sensitive data. For example, a network segment which sensitive data is flowing through would be a priority over a segment which non-sensitive data is. Therefore, the organization would be sure to save logs from IDPS, Firewall, servers, etc. on the critical network segment and maybe be more selective on the non-critical.
Sachin Shah says
great job Julien. We face this issue in my job as we have patient information that is clinical and confidential, hence we have lots of application logging and backups. So on top of that there are lots of controls that protecting this data and access points that need to be secure. We have stand alone systems that are legacy based and playing on their strings, these are not heavily logged from application or security point. Yet the servers, IDS, VPN access to points where the clinical information is vital has much more security and logging.
Mengxue Ni says
I enjoyed reading your post, Julien. I agree with you that log everything will be ideal for all the organization. But due to the storage issues, there is no organzation can do it now. Therefore log effectively would be an alternative way. Log management is very important to use as well, it is not difficult to save sensitive data’s logs, but manage them would be another problem.
Vaibhav Shukla says
Log files and alerts generated by IT systems often provide a vital audit trail to identify the cause of cyber security breaches and can also be used to proactively detect security incidents or suspicious activity that could lead to a cyber security incident but there are lot of challenges faced in it.
Logging everything should never be considered due to storage and cost problems.Logging need to be done selectively and event based
Identification of business applications and technical infrastructure systems on which event logging should be enabled furthermore configuration of information systems should be done such that to generate the right cyber security-related events like servers,firewalls. The logging should also be done context based rather than log everything like logging for password changes,sudo configuartion changes,invalid login attempts
The systems should be regularly tuned and reviewed to reduce the number of false positives to an acceptable level
Defined retention requirements and/or log rotation periods can reduce the legal actions and storage problem
https://www.crest-approved.org/wp-content/uploads/2015/05/Cyber-Security-Monitoring-Guide.pdf
Zhengshu Wu says
Good answer, vaibhav. To identify the inventories of cirital devices and systems is always the first step to determine the scope of the logs. And at the same time, the list of inventories should be reviewed regularly to reflect the new systems that is added into the domains of organziation’s network and make sure no omissions of important logs.
Sachin Shah says
Good work Vaibhav and the key to logging in programming or security is being selective and prioritize. Logging on servers, firewalls, VPN, IOT is very important. As well as key vendor accounts and network access points that are high risk.,
Mengqi He says
Log management is necessary for an organization to improve their information security. From the security aspect, logs can be used to monitor and record system, network and user’s activities, and thus provide important clues about suspicious activities that may lead to an incident. I would suggest to log everything all the time because fragmented pieces of data sometimes may be inadequate to identify an incident. However, systems create hundreds of gigabytes of data per day for a large organization. Logging everything requires an organization to have adequate space to store those logs, and this would be a challenge to may organizations. With limited space for storage, logs must be cleaned periodically to provide space for new coming logs or be overwritten by new logs. Therefore, log storage and retention policy is very important to guide an organization on what logs to keep and how long to keep them. The log retention highly depends on log analysis ability and requirements of an organization. Log analysis is usually used for troubleshooting, detecting suspicious activities, security incident response, security auditing, forensics and compliance with regulations. The logs should be aggregated and normalized to be centrally analyzed by security specialists to determine whether there is anything abnormal. After analysis useful log data can be archived while useless log data can be properly disposed according to the retention policy. Therefore, high-speed analysis may require less spaces for storing logs, because useless logs can be cleaned or overwritten to provide spaces for new logs rapidly. In addition, one thing organizations should know is that logs in an incident can be used as evidences for forensics, so don’t dispose them even the incident has ended.
Zhengshu Wu says
Mengqi , good post! Considerations of forensic investigation should not be ignore when deciding retention policy and period of logs. In many cases, when logs are setup and configured properly, they can tell the story of the tactics a hacker used during a breach. They can give insight as to how advanced (or not) the hacker is, and provide an understanding of the extent of a breach by showing how long a hacker was inside the confines of the firewall.
Zhengshu Wu says
Logs from the critical components of the network and business should be kept, including firewall, key servers, especially the Active Directory server and key application and database servers, IDS, antivirus and web server.
Therefore, we think to about what the key elements of the network are, from a business standpoint. Think about the parts of the infrastructure are crucial to running the business. The logs those components generate are the keys to keeping the network up and the business running.
Especially for a small/medium company, it’s important to decide what is important to be watching, as limited resources are allowed to be allocated to the security monitoring task. It is impossible to hire enough people to read every line of those logs looking for bad stuff. Even if you possible, the analysts would never actually spot anything even if it was right in front of their face.
So here are the logs we need to consider for inclusion in your situation:
Logs from your security controls:
• IDS
• Endpoint Security (Antivirus, antimalware)
• Data Loss Prevention
• VPN Concentrators
• Web filters
• Honeypots
• Firewalls
Logs from your network infrastructure:
• Routers
• Switches
• Domain Controllers
• Wireless Access Points
• Application Servers
• Databases
• Intranet Applications
Non-log Infrastructure Information
• Configuration
• Locations
• Owners
• Network Maps
• Vulnerability Reports
• Software Inventory
Non-log Business Information
• Business Process Mappings
• Points of Contact
• Partner Information
Loi Van Tran says
Regular log collection is critical to the organization to understand security incidents during an active investigation and to perform post-mortem analysis. Without appropriate audit logging, a security incident can go unnoticed and it will be hard for the organization to determine whether or not an attack lead to a breach.
Logging should be selective and risk-based because it is not economically possible to log everything. A major factor for logging consideration is legal and regulatory compliance against standards such as FISMA, GLBA, HIPAA, SOX, and PCI-DSS.
The NIST SP 800-92 Guide to Computer Security Log Management provides some great insight on what to consider in a log management program. Some of the basic logs considerations are below:
Security Software – network or host-based security software to detect malicious activity, protect systems and data, and support incident response efforts. This is considered a major source of computer security log data. Common types are listed below:
– Antimalware Software, IDS/IPS, Remote Access software, Web proxies, Vulnerability Management Software, Authentication servers, Routers, Firewalls, and network quarantine servers.
Operating Systems – OS for servers, workstations, and networking devices usually log a variety of information related to security.
– System events : includes shutting down or starting services, failed events,
– Audit Records : contains successful/unsuccessful authentication attempts, file access, security policy changes, account changes, and use of privileges.
Others considerations are provided here: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf
Sachin Shah says
Thanks for posting the link which I plan to read. I think logging is important more post-mortem than real-time. Basically most companies do not have the resources or bandwidth to hire people to just analyze logs. If the budget is there than ablsolutely and the security software and server OS are on point.
Marcus A. Wilson says
Logging is critical for an organization to gain insight into what is going on within their information systems environment. As far as a strategy I would selectively log based on the overall organization, risk analysis, and the industry that the organization is in. If there is more regulation surrounding the particular industry I would want to side on the heavy log option. A risk analysis can expose the critical parts of the organization’s network and help understand where the full logging capabilities are needed. IT can be hard to determine how much is enough or too much but I would at the minimum want enough logging to be able to investigate any unauthorized access, which once again is still a challenge to understand how much is needed for even the minimum.
Mengxue Ni says
Nice post, Marcus. It is hard to decide what to log at first, then the second problem security team would face is how to save them and manage them when needed. Lastly, how long we should keep them is another problem that organization should consider. But we know one thing that is logging is very critical for the security in every organization.
Mengxue Ni says
Logging is one of the most powerful tools. Log everything would be ideal but it is most likely impossible because of storage issue. Servers and applications can generate log data on a variety of processes, from simply announcing that everything is healthy to detailed information on events and processes running. The trick to effective log management is knowing what needs to be monitored and managed, and having the right tool in place that gives you flexibility to get the deepest, most valuable insights from the mountains of data that logs can contain.
You can utilize some log management software or applications to help you monitor and manage logs better. Good log management tools will allow users to be done in real-time, by centralizing, analyzing and visualizing log data immediately. Information can be presented to the applicable users in the form of generated reports or even real-time graphical dashboards that update to show the manager an at-a-glance look at the data they have determined is most critical for their needs. Multiple dashboards targeted at specific business areas, and shared across the team or organization, enables data to be presented simultaneously in a form most appropriate for each individual user.
Sachin Shah says
In terms of logging, I can relate Cyber-Security to programming I do in middleware HL7. we try to log as much as possible, yet we run into issues with space and archiving and therefore a company needs to prioritize. First one needs to understand the type of industry they are in, the value of the information and the risks associated with it. If I had to pick in my company, i would have heavy logging on my VPN and firewalls especially on pints where vendors access our network and users remote in. What is a laptop is stolen, or person bring personal laptop to the office and plugs it into Ethernet jack, or access to all databases and access points to application servers that host the important systems the users or business operates upon.
Kevin Blankenship says
Logging is vital to understanding the information moving through your organization’s network. Ideally every interaction gets logged and reviewed. But space and time are limited, so choosing what and how to log is important. Many regulations cover which systems should be logged and how thorough the logging should be. PCI DSS, for example, wants all traffic in and out of the PCI zone to be monitored. Other areas can be much less regulated. Development enviroments, outer firewall layers to other firewall layers may not need a deep view. Ultimately it comes down to the context of the environment and which industry the organization is in. A bank or government organization will need to invest in logging more than a car repair shop would.
Ryan P Boyce says
In terms of my Log strategy, I would let the importance of the system determine what I log. I’ve seen production database systems that have everything logged-everything from connections to the server to simple SQL Select commands were logged. Depending on the use of the database, This style of logging can cause for major disk space usage but it is necessary. Some companies fall under specific NIST or government guidelines where logging is required at the highest levels across all systems. I would let the nature of business I am conducting and the regulations my business needs to abide by determine my logging approach.
Anthony Clayton Fecondo says
Logging is a crucial component of security, but the extent to which a company should log is a topic of debate. I believe that logging everything is cost and resource prohibitive and should never be a company’s logging strategy. I believe partial logging can capture all the necessary log information as long as the logging capabilities of each system are configured properly. The best approach to configuring what should be logged and what shouldn’t would be to look at the classifications of information that the organization handles and establish logging requirements for each data classification level. Once these requirements are created, the organization needs to determine which systems handle which classifications of data and apply the corresponding logging configurations.
Joseph Nguyen says
Companies should also perform yearly data privacy audit where IT auditors can assess the organization’s data privacy policies, practices, data governance, third-party contracts, data classification, firewall/IDS tuning and reporting, log management and event monitoring.
Logs are used as a passive investigative tool, and their efficiency is at best when they are monitored with appropriate thresholds of alert and corresponding actions. Monitoring means identifying the informational events from the mainly actionable events that need to get attention, alert and appropriate action. It should have details and follow-up activities if possible.
Monitoring means also automatize the parsing of logs file and Perl is a great tool for it. A couple of Perl command lines are enough in search for important words or IP address or whatever it is relevant and sent an email to administrator seems to be a good strategy.
What events to log is also a key in reducing the size of logs file. For a server, it could be the CPU, size of the disk, users etc. and for and IDS it could be any alert from level 2 to level 0 for example. Time and experience can tell what events are more important than others I think.
Josh Zenker says
I think we all agree that it isn’t feasible to log everything—or at least it’s not feasible to retain logs of everything. The storage required would be costly, and much of the data you stored would probably never end up being useful. Your organization needs to set priorities about what activities need to be logged. You will most likely need to engage your risk management, legal, and/or compliance teams, depending on your industry, to determine what logs must absolutely be retained. Beyond that, it is up to your IT organization to decide which logs are most important.
You should focus on your most critical applications and services. You want to make sure you’re capturing all log messages above a certain severity (e.g. “warning”) for those critical systems. For forensic purposes, you will also want audit logs, which show who performed changes to each system and when. Once you have chosen which logs to store, you should consider the benefits of log analysis tools like Splunk. Their pricing model can be prohibitively expensive, but they are immensely helpful when you need to find correlations between log messages across different systems. They can turn terabytes of incomprehensible log data into meaningful information, which you can use to solve problems or plan for the future.